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Abstract. Type-flaw attacks upon security protocols wherein agents are 
led to misinterpret message types have been reported frequently in the 
literature. Preventing them is crucial for protocol security and verifica- 
tion. Heather et al. proved that tagging every message field with it's type 
prevents all type-flaw attacks under a free message algebra and perfect 
encryption system. 

In this paper, we prove that type-flaw attacks can be prevented 
with the same technique even under the ACUN algebraic properties of XQR 
which is commonly used in "real- world" protocols such as SSL 3.0. Our 
proof method is general and can be easily extended to other monoidal 
operators that possess properties such as Inverse and Idempotence as 
well. We also discuss how tagging could be used to prevent type-flaw 
attacks under other properties such as associativity of pairing, commu- 
tative encryption, prefix property and homomorphic encryption. 
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1 Introduction 

A type-flaw attack on a protocol is an attack where a message variable of one 
type is essentially substituted with a message of a different type, to cause a 
violation of a security property. 

In their pioneer work, Heather ct al. proved that pairing constants called 
"tags" with each message prevents type-flaw attacks [1] . 

Does preventing type-flaw attacks have advantages? 
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— As Heather ct al. pointed out, besides the obvious advantage to security 
in preventing these commonly and frequently reported attacks, preventing 
them also allows many unbounded verification approaches (e.g. [2-4]) to be 
meaningful, since they assume the absence of type-flaw attacks; 

— Further, Ramanujam-Surcsh found that the absence of any type-flaw attacks 
allows us to restrict analysis to well- typed runs only [5] , which is a dccidable 
problem; i.e., security can be decided with analyzing just a single session. 

Thus, prevention of type- flaw attacks is a crucial and significant result toward 
protocol analysis and verification. 

However, Heather et al.'s work only considered a basic protocol model with 
a free message algebra and perfect encryption. Operators such as Exclusive-OR 
and ciphers such as CBC possess algebraic properties that violate these assump- 
tions. Recent focus in research projects world-wide has been to extend protocol 
analysis with algebraic properties to accommodate "real-world" protocols (e.g. 
[6,7]). Naturally, a corresponding study into type-flaw attacks would be both 
crucial and interesting. 

With this motivation, we examined several algebraic properties described in 
the survey by Cortier et al. [8] such as: 

— Associative pairing, Commutative encryption, and Monoidal theories that 
violate the free algebra assumption; 

— the Prefix property, Homomorphic encryption, and Low-exponent RSA weak- 
ness that violate the perfect encryption assumption. 

We report our observations in this paper. As our main contribution, we prove 
that type-tagging prevents all type-flaw attacks under XOR that possesses AC UN 
properties (Associativity, Commutativity, existence of Unity and Nilpotence). 
The proof approach is quite general and can be easily extended to other monoidal 
theories such as Inverse and Idempotence as well. We also advocate some pru- 
dent tagging practices to prevent type-flaw attacks under the other algebraic 
properties mentioned above. 

Organization. In Section 2, we show how type-tagging can prevent type- flaw 
attacks under XDR using an example. In Section 3, we give a formal treatment of 
type-flaw attacks in a symbolic model and provide a simpler proof compared to 
[1] that tagging prevents type-flaw attacks under XOR. In Section 4, we examine 
how the result withstands each algebraic property and suggest remedies in the 
form of prudent engineering principles. We sum up with a Conclusion. 

2 Tagging prevents type-flaw attacks under XOR - 
Example 

Consider the adapted Needham-Schroeder-Lowe protocol (NSLq) by Cheva- 
lier et al. [9]: 
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(A and £? are agent variables; Na, Nb are nonce variables; [X]y 
represents X encrypted with Y using an asymmetric encryption algorithm.). 

A type-flaw attack is possible on this protocol even in the presence of com- 
ponent numbering (recently presented in [10]): 
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Notice the type-flaw in the first message (n a © b © i substituted for the 
claimed Na) that induces a type-flaw in the second message as well. This is 
strictly a type-flaw attack since without the type-flaw and consequently without 
exploiting the algebraic properties, the same attack is not possible. 

Component numbering cannot also prevent type-flaw attacks under the In- 
verse property that allows cancellation much like Nilpotence. Consider opera- 
tors {+,—}, where + is binary addition, — a unary operator, and 
a constant. Then, if we change the © operator in the NSL ffl protocol to 
+ , variable Na could be substituted with n a + % — b to form the same 
attack as with ffi. 

The above attack can be avoided if type-tagging were to be adopted for the 
elements of the XOR operator: 
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Msg f3.2 is then not replayable as Msg a.2 even when i(a) sends 
Msg /3.1 as i(a) b : [1, [nonce, n a ] ffi [agent, b] ffi [agent, i], a]^. (h) , 
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since Msg j3.2 then becomes b — > i(a) : [2, [nonce, [nonce, n a ] © 
[agent, b] ffi [agent, i]] © [agent, b], n b ]^ k{a) . 

This is not replayable as the required Msg a.2: i — > a : [2, [nonce, n ]ffi 
[agent, i], ft&]^./ ) because, inside Msg /3.2, one occurence of [agent, b] 
is in [nonce, [nonce, n a ] © [agent, b] © [agent, i]} and the other is outside. 
Hence, they cannot be canceled. 

A similar reasoning applies to Inverse property for © instead of 
Nilpotence. We leave this for the reader to verify. 

In the next subsection, we will prove these claims formally. 

3 Type-tagging prevents type-flaw attacks: Proof 

In this section, we present a formal proof extending an approach presented in 
[11] that non-unifiability of encryptions (which can be ensured by tagging with 
component numbers) prevents type-flaw attacks with free operators and a more 
detailed type-tagging will prevent them under the monoidal XOR operator. Our 
proof is much simpler than [1] , and more importantly, allows us to easily study 
extrapolating the result to operators with algebraic properties. Furthermore, 
being a symbolic protocol model, the framework is quite flexible to include the 
much needed equational unification for additional equational theories. 

3.1 Term Alegbra 

We start off with a term algebra with mostly free operators except for the XOR 
operator. 

Definition 1. [Terms] A term is one of the following: 

Variable (can be an Agent, Nonce etc., that are all subsets of Var); Con- 
stant (numbers 1,2,...; name of the attacker e etc.); Atom (split into sets 
agents, nonces etc.); Concatenation denoted [t\, t n ] if t\, . . . , t n are 
terms; Public-Key denoted pk{A) with A of type Agent; Shared- 
Key denoted sh(A, B) with A and B of type Agent; Asymmetric 
encryption denoted [t]~^ where t and k are terms; Symmetric encryp- 
tion denoted where t and k are terms; Hash denoted h(t) where t is 
a term; Signature denoted Sig k (t) where t is a term to be validated using 
the key k; XOR denoted t\ © ... © t n where t\, . . . , t n are terms. 

We will drop the superscript — > and <-> if the mode of encryption is 
irrelevant. 

We will call terms with no atoms (but only constants and variables) as para- 
metric terms. We will call a parametric term in which the variables were substi- 
tuted with variables and/or atoms as a semi-term. 

We will assume that the reader is familiar with the standard definitions of 
syntactic unification, and the most general unifier (mgu). We will write t f» t' 
if t and t' are unifiable. 

As usual, subterms are defined to capture parts of messages: 
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Definition 2. [Subterm] 

Term t is a subterm of t' (denoted t C t') if 
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r 
r 
f 
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[ti,...,t n ] with t □ t , where t G {t\, 

[t ]k> with t n t , or 

h(t ) with t C t , or 

Sig k (t ) with t n t ; or 

t\ © ... © t n with t C t where t 



6 {ti, . . . , i„ } . 



t n } or 



Wc will call encrypted subterms, hashes and signatures as Compound Terms; 
we will denote them as CT(T) for a set of terms, T. 

We will denote the type of a variable or atom t as type(t). We over- 
load this to give the type of other terms. For instance, type([t\, . . . ,t n ]) = 
[type{ti),...,type(t n )] and type([t] k ) = [type(t)] type(k) . 

We will call a substitution of a term t to a variable V a "well- 
typed" substitution, if typeit) = typeiV). We will call a set of substitutions 
a well-typed and write well-typed (a) if all its members arc well- typed; 
otherwise, we call a ill-typed. 

We will assume that all operators in the term algebra except the XOR 
operator are free of equations of the form t = t' where t and t' 
are two different terms. Thus, every equation between two terms that were not 
constructed with the XOR operator is of the form t = t. Wc will denote 
this theory, £std- 

On the other hand, wc will assume that terms created with the XOR operator 
to contain the following equational theory denoted -Eacun corresponding to 
it's ACUN algebraic properties: ti © (i 2 © *3 ) = ( h © t 2 ) © h 
(Associativity); ti (B t 2 = t 2 © t\ (Commutativity); t\ © = t\ 
(existence of Unity); t x © t\ = (Nilpotence). 

We will denote the unification algorithms for terms constructed purely with 
the standard operators and purely with the XOR operator as Astd and ^4acun 
respectively. 

Terms constructed using both the standard operators and the XOR operator 
can be unified using Astdi A<\cun an d the combination algorithm of Baader 
& Schulz [12] resulting in a finite number of most general unifiers. 

3.2 Strands and Semi-bundles 

The protocol model is based on the strand space framework of [2] . 

Definition 3. [Node, Strand, Protocol] 

A node is a tuple {Sign, Term) denoted +m when it sends a term 
m, or — m when it receives m. The sign of a node n is denoted 
sign(n) that can be '+ ' or '—' and its term as term(n) derived 
from the term algebra. A strand is a sequence of nodes denoted (ni, . . . , n k ) 
if it has k nodes. Nodes in a strand are related by the edge defined such 
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that if m and rij+i belong to the same strand, then we write m => 

A parametric strand is a strand with all parametric terms on its nodes. A 

protocol is a set of parametric strands. 

Protocol roles (or parametric strands) can be partially instantiated to pro- 
duce semi-strands containing semi-terms on nodes obtained instantiating their 
parametric terms, depending on the knowledge of agents concerning the variables 
being instantiated: A variable is instantiated to an atom if the agent to which 
the strand corresponds to, either creates the atom according to the protocol or 
knows the value (e.g. being public such as an agent name). Variables may also 
be replaced with new variable substitutions in order for different semi-strands 
of the same parametric strand to be distinguishable. This is done if more than 
one instance of a role is visualized in an execution scenario. 

We will denote the substitution to a parametric strand l p' by an honest 
agent leading to a semi-strand V as a^p. 

For instance, role 'A' in the NSL^ protocol is the parametric strand 



role A = ( + [1, N A , A}^ k(B) , - [2, [nonce, N A ] ® [agent, A], N B ]^ k(A) , 

+ [3, Nb]? KB) > 

and an agent 'a' that plays the role could be the semi-strand 



(j h s role A = ( +[1, n a , a}^ k{B) , -[2, [nonce, n a ] © [agent, a], N B ]^ a y 

+ [3, N B ]? HB) ) 

where a h s = {a/A, n a /NA}- 
A set of semi-strands is a semi-bundle. We will denote the set of all 
substitutions to a protocol by honest agents leading to a semi-bundle S as 
erf. 

We will assume that honest agent substitutions leading to semi-strands are 
always well-typed: 

Assumption 1 Let P be a protocol and S be a semi-bundle such that 
S = erf P. Then, (Vcr £ erf ) (well-typed (a)). 

We will use the relation 'precedes' (■<) on stand-alone strands in semi- 
bundles: Let s be a strand in a semi-bundle S. Then, 
(Vrii, n,j e s)(i < j => Hi ^ rij). 

We will abuse the notation of CT() on strands, protocols and semi-bundles 
as well. We will write t S S even if t is a term on some node of some 
strand of a semi-bundle S. 
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3.3 Constraints and Satisfiability 

We use the constraint solving model of Millen-Shmatikov [13] that was later 
modified by Chevalier [14] to model the penetrator 3 . 

The main constraint satisfaction procedure, denoted P© first forms a 
constraint sequence from an interleaving of nodes belonging to strands in a 
semi-bundle: 

Definition 4. [Constraint sequence] 

A constraint sequence C = ( term(ni) : Ti, terming) : T&) 

is from a semi-bundle S with k '—' nodes if (\fn)(\fn')((term(n') : T £ C)A 
(term(n) G T) => (n < n')). Further, if i <j and ni, n.j belong to 
the same strand, then ni < Uj and (\fi = 1 to k)(Ti C Tj+x). 

A symbolic reduction rule applied to a constraint m : T is said to 
"reduce" it to another constraint m : T' or m! : T. P ffi applies a set 
of such rules i?© (Table 1) in any order to the first constraint in a sequence 
that does not have a variable as it's target, called the "active constraint". It 
is worth mentioning that P ffi eliminates any stand-alone or free variables in 
the term set of a constraint before applying any rule. 
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[ti,...,*»] : T 


t\ : T ,. . . ,t n : T 


split 


t : TU[ti,...,tn] 


t : T U ti U . . . U t n 
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sdec 


m : [t]t U T 


k : T, m : T U {t,k} 


XORr 


m:TU {<i,... ,t n } 


m : T U h © . . . © t„ 


XOR L 


^i © ■ • ■ © in • T 


h : T, t 2 © . . . © t n : T 


Sig 


Sig k (f(t)) : T 


t : T 


Hash 


h(t) : T 
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Table 1. Set of reduction rules, 7?© = R U { XOR L , XORr } 



The rules in Table 1 do not affect the attacker substitution. There are two 
other rules that involve unification, and generate a new substitution that is to 
be applied to the whole sequence before applying the next rule. It is worth 
giving a more detailed account of those rules including the transformation to 
the constraints before the active constraint (C<) and the ones after (C>): 

C<, m : TUt, C>; cr 

where r = mgu(m, t) (unj 



rC<, tC>; r U a 
C<, m : [^r U T, C>; a 



r C<, r m : t [i]7* U r T, r C>; t U a 



, where r = mgu(fc, pk(e)), k ^ pk(e) (ksub) 



A sequence of applications of reduction rules on a constraint sequence can 
transform it into a "simple" constraint sequence: 



3 Heather et al. [1] used classical penetrator strands of [2], but the basic penetrator 
capabilities are equal in both models. 
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Definition 5. [Simple constraint sequence] 

A constraint m : T is a simple constraint if m is a variable. 
A constraint sequence C is a simple constraint sequence if every 
constraint in C is a simple constraint. 

The possibility of forming bundles from a given semi-bundle can be deter- 
mined by testing if constraint sequences from it are satisfiablc. Satisfiability is 
usually denned in terms of attacker operations on ground terms; however, Cheva- 
lier [14] proved that P ffi is terminating, sound and complete with respect to 
the attacker capabilities. Hence, we define satisfiability directly in terms of the 
decision procedure: 

Definition 6. [Satisfiability] 

A constraint is satisfiable if a sequence of reduction rule application from 
R result in a simple constraint. A constraint sequence C is satisfiable 
if every constraint in the sequence is satisfiable. Further, the initially empty 
substitution a is said to satisfy C , denoted a h C . 

It is useful to characterize "normal" constraint sequences which are those 
that do not contain pairs on the left and right sides of any constraint: 

Definition 7. [Normal Constraint Sequence] 

A constraint sequence C is normal iff for every constraint m : T € C , 
m is not a pair and for every t G T , t is not a pair. 

It has been proven in [14] that any constraint sequence can be "normalized" 
such that if a substitution satisfies the original sequence, it can also satisfy the 
normalized sequence. 

Violations of trace properties such as secrecy and authentication can be em- 
bedded in a semi-bundle so that a satisfiable constraint sequence from the semi- 
bundle points to an attack. Using this concept, we define a type-flaw attack: 

Definition 8. [Type-flaw attacks] 

A type-flaw attack exists on a semi-bundle S if a constraint sequence 
C from S is satisfiable with an ill-typed substitution, but not with a well-typed 
substitution, i.e. (3a)(a h C) A ($a')((a' h C) A (well-typed(<j'))). 

3.4 Main requirement — Non-Unifiability of Terms 

We will now state our main requirement on protocol messages which states that 
textually distinct compound terms should be non-unifiable and that all XORed 
terms must be type-tagged: 

Definition 9. [NUT] 

Let P be a protocol. Then P is NUT-Satisfying iff 



- (Vti G CT(P))(Vt 2 G CT(P))(t! jk t 2 t x 96 t 2 ).; 
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- (Vi)(Vf)((t G P) A (t = ti © ... ©in) A (f G {ti,...,t„}) = 
[«Hpe(t")> *"]))■ 

It can be easily seen that NUT for terms constructed with standard operators 
is achieved by placing component numbers as the beginning element of concate- 
nations inside all distinct compound terms in a protocol. E.g. [1, Na, A\^ k ^ B y 
[2, N A , [3, N B , A\2 

(A,B)\sh(B.s)> ctc - Further, for terms that are XORed to- 
gether, type tags must be included. For instance, Na@B®[1, Na, A]k should 
be transformed into [nonce, N A ] © [agent, B](B [[nonce, agent] j^, [1, Na, A]^]. 

The tagged NSL ffi protocol in Section 2 clearly conforms to these stipulations 
and hence is a NUT-Satisfying protocol. 

3.5 Main result 

We will now prove that NUT-Satisfying protocols are not vulnerable to type-flaw 
attacks. 

The main idea is to show that every unification when applying P ffi to a con- 
straint sequence from a NUT-Satisfying protocol results in a well- typed unifier. 

The intuition behind showing that unifiers are necessarily well-typed is as 
follows: informally, the problem of unification of two terms under the combined 
theory of (Estd U -Eacun) must first result in subproblems that are purely in 
E$jD or purely in -Eacun according to Baader-Schulz algorithm. 

Now -Eacun problems will have a unifier only if the XOR terms contain vari- 
ables. However, according to our extended requirement of NUT above, no pro- 
tocol term has an XOR term with an untagged variable. Further, the XOR terms 
produced by in the term set of a constraint cannot contain variables either 
since like in P, the rule (dim) eliminates any stand-alone variables in a term set 
before applying any other rule. Thus, algorithm Aacun returns an empty unifier. 
Unification of -Eacun problems only happens when two standard terms that were 
replaced by variables belong to the same equivalence class, can be unified with 
A$td and could thus be canceled. 

In summary, the unifier for a problem in (Estd U-Eacun) under the extended 
requirement on NUT is only from applying Astd- We show that these problems 
always produce well-typed unifiers. 

For instance, consider the unification problem 

[1, n a ] p k(B) ~b [1, N B ] pk(a) tr> [2, A] © [2, b] 
Following Baader & Schulz method, we first purify this to sub-problems: 

? ? ? ? 

W ~Estd [T Wo]pfc(B)) X ~£ STD [1, N B ]pk(a), Y «B STD [2, A], Z ^E STD [2, 

and W «i4 UN X © F© Z. 
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Now, the new variables W, X, Y, and Z are treated as constants 
during Aacun- In that case, the problem W — X ® Y ® Z \s 
not unifiablc. However, there is a step we missed: we need to form equivalence 
classes from the variables W, X, Y, and Z such that variables from 
one class can be replaced with just one representative element. In this case, if we 
partition the variables into { { }, { X }, {Y, Z } }, then we can change 

the problem W ~e[ cun X ® Y® Z into W ~e\ cun X © Tffi Y 

? 

with an additional problem of Y ~e std Z. This is obviously equivalent to 

? 

W ~Bstd X since the Y's cancel out leading to another sub-problem. 

Now all the sub-problems are purely in the STD theory (terms on either 
sides do not involve the © operator): 



It can be easily seen that A$td outputs a well-typed unifier ({n a /Ns, b/A}) 
for these problems resulting in a well-typed unifier for a combination of A$jd 
and AacuN) since Aacun outputs an empty unifier. 

Theorem 1. [NUT prevents type- flaw attacks] 

Let P be a NUT -Satisfying protocol and S = o~gP. Let C be a normal con- 
straint sequence from S. Then, (a h C) =>■ (3er')((er' h C) A (well-typed(er'))). 

Proof. If a satisfies C, then from Def. 6, rules from R§ have been used to reduce 
it to a simple constraint sequence. The only rules that can change a are (un) 
and (ksub). (ksub) makes a well-typed substitution since it unifies a term with 
the attacker's public-key which is of the same type. 

We prove below that if m : TUt £ C, and m re t then for each mgu(m, t) = r, 
well-typed (t). Since initially a is empty, using induction on each constraint of 
the sequence, we can then conclude that a is well-typed. 

Following the combination algorithm of [12] described in [15], let the initial 

? 

problem of P = {m re' B t} be reduced to (T", <,p) where 

1 i 

— P' is a set of unification problems {mi re t\, . . . , m n re t n }; 

— Let r 1 be pure with every m re B t £ J 1 ' have m, i formed purely from 
operator © on 0, constants and variables or from the standard theory in the 
term algebra defined in Def. 1; 

— < is a linear ordering on variables such that if X < Y then Y does not occur 

subterm of the instantiation of X: 

— p is a partition {Vi, V2} on the set of all variables V such that V2 are treated 
as constants when A$jd is applied and V\ are constants when Aacun is 
applied; 

— Let another partition p 1 of variables identifies equivalence classes of V where 
every class in a partition is replaced with a representative and where mem- 
bers of the class are unifiablc; 



? 



? 



[1, n a]pk(B) ~E STD [1, N B ] p k(a), [ 2 , A] 



E 5TD [2, b}. 
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Let the combined unifier of ctstd and ctacun denoted ctstd © cfacun = o 
which is obtained by applying [15, Def. 9]; i.e., by induction on <. Our aim is to 
prove that every a obtained for different combinations of <,p,p' is well- typed. 

Let us examine the possible forms of problem elements in T'\ 

? 

ACUN theory: m «acun t exist where m = a\®a2®- ■ .©a* and b = &i®&2©- ■ •© 
bj where each of a £ {ai, . . . , a{\ and b £ {b\, . . . , bj} is a constant or a new 
variable in V for some positive i and j. The reason is as follows: according to 
the requirement on protocol messages for a NUT-Satisfying protocol, none 
of {ai, . . . , at} can be an untagged variable. Also, none of {&i, . . . , bj} is a 
variable, since applies rule (elim) eliminating all stand-alone variables 
before applying any other rule. Lastly, the new variables in m and t would be 
other problems in F 1 of the form X = [tag, x] where X is the new variable, 
tag is a constant and x is any term. These new variables have to be treated as 
constants when applying Aacun (they cannot be substituted with O's which 
is the only substitution that Aacun can return). With all constants in m 
and t, Aacun that would normally return a set of '0' substitutions for some 
variables, returns an empty set of substitutions answering that m and t are 
equivalent (if they are); 

STD theory: m ~std t where 

1. either m or t is a new variable belonging to V; there is no unifier to 
existing variables here; 

2. m, t are tagged terms of the form, [tag, x] and [tag, a;'] where tag is a 
constant. In this case, m unifies with t only if x unifies with x' and the 
proof can be applied recursively; 

3. m,t £ CT(S); In this case, again the proof applies recursively. For in- 
stance, if m = h(m') and t = h(t') then we need to unify m' and t'; 
Suppose m! = [tag, x\,..., x n ] and t' — [tag, j/i, . . . , y n ]. The constant 
tag guarantees that m' and t' have the same number of elements (n). 
Now we need to unify every xi with y 2 ; for i = 1 to n. Firstly, if one of 
Xi and yi is a variable, then: 

— If Xi or iji is a new variable, there is no substitution to existing 
variables; 

— If both are existing variables, then they are both of the same type 
by Def. 9 and Assumption 1; similarly if one of them is an atom; 

If Xi,yi G CT(S), then the proof proceeds recursively to each subterm 
in turn. 

4. m and t are two new variables in a subset of the variable identification 
partition p' . However, since both are problems in r' are such that they 
map to a tagged pair or compound term in the standard theory, their 
unifier is once again well-typed from above. Note that m and t cannot 
be existing variables since these variables are from ACUN problems and 
ACUN problems contain necessarily new variables as explained previously 
in the case for ACUN theory. 
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4 More algebraic properties 

We now consider some more algebraic properties of message operators. The first 
set breaks the free algebra assumption for protocol messages like- XOR. The second 
set breaks the perfect encryption assumption. 

4.1 Algebraic properties with equational theories 

Monoidal theories. Following the definition of monoidal theories from [16], 
we can determine that 

— the theory ACU over {+,0} where A stands for associativity, C for commu- 
tativity and U for the existence of Unity is a monoidal theory; 

— the theories ACUIdem and ACUN where Idem stands for Idempotence and l\l 
for Nilpotence are also monoidal theories over {+, 0} and {©, 0} respectively; 

— the theory of Abclian Groups (AG or ACUInv) over {+, — , 0} where Inv stands 
for Inverse is also monoidal where — is a unary operator. 

If we replace or overload the © operator in Section 3 with Idem or Inv, we 
can make a similar reasoning as made for ACUN properties in Theorem 1: 

When the combination algorithm of Baader & Schulz is applied for Estd^Ej 
where T is a theory with any, some or all of A, C, U, N, Idem, Inv, the algorithm 
for T, say Aj will return an empty substitution when the operator with theory 
is so used in the protocol such that every term is type-tagged. Consequently, the 
unifier for the combined unification problem will only have substitutions from 
Astd which will be well- typed as explained in Theorem 1. 

However, we must note that the procedure in [14] that we followed only 
considered ACUN properties. We conjecture that if a suitable constraint solving 
algorithm is developed for other monoidal theories as well, then the above con- 
cept of necessarily well-typed unifiers could be used to extend Theorem 1 under 
those theories. 

Associativity of Pairing. This property allows the equation [a, [b, c]) = [[a, b],c]. 
Denote this as the theory Assoc. 

Component numbering cannot prevents ill-typed unifiers. A simple exam- 
ple can prove this: [1, A, [6, c],d] can be unified using [1, [a, B],C, d], with a = 
{[a,B]/A, [b,c]/C,d/D}. Obviously, a is ill-typed. 

However, type-tagging prevent ill-typed unifiers. If we consider the same 
example, 

[[agent, A], [pair, [[nonce, b], [agent, c]]], [key, d]] cannot be unified with 

[[pair, [[agent, a], [nonce, £>]]], [agent, C], [key, D]] even under associativity, due to 

the "pair" tag for pairs. 

It would be straightforward to prove this claim formally: 

— Following Baader-Schulz algorithm again, we can first purify the main uni- 
fication problem into sub problems that are either purely in the STD theory 
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and through the introduction of new variables, to those that resemble m « t 
where all subterms of m and t are variables, atoms or pairs for the Assoc 
theory; 

— The STD theory returns well-typed unifiers as described in the proof of 
Theorem 1; 

— The unifiablc problems in the Assoc theory will resemble [[tagi, xi], . . . , [tag n , x n ]] ~ 
[[tagi, yi], . . . , [tag n , Un}] - This returns a well-typed unifier if all Xi ~ yt (i = 1 

to n) return well-typed unifiers which they do if at least one of Xi or j/j are 
variables from Def. 9 and Assumption 1. If they are both compound terms, 
the proof proceeds recursively. 

Associativity and Commutativity of a general operator The concepts 
above can easily be extrapolated to associativity of a general operator, say '.' 
as well. For instance, [1, [o.6].C] and [2,A.[6.c]] return an ill-typed unifier, but 
[[pair, [agent, a]. [nonce, b]]. [key, C]] and [[agent, A]. [pair, [nonce, 6], [key, c]]] do not. 

These concepts can be extrapolated to commutativity as well: Consider [1, n a .B.a] 
unified with [1, AM.Na] that results in an ill-typed unifier {n a /A, b/B, cl/Na} but 
type-tagging docs not allow such a unification and ensures well-typed unification. 
Consider the same example: [nonce. agent. agent, [nonce, n a ]. [agent, B\. [agent, a]] 
cannot be unified with [nonce. agent. agent, [agent, A]. [agent, b]. [nonce, Na]]- 

It should be straightforward to extend the formal proof that we outlined 
for associativity of pairing to the cases of associativity and commutativity of a 
general operator. 

4.2 Algebraic properties with cipher weaknesses 

Some algebraic properties violate the perfect encryption assumption, without 
altering the freeness of the message algebra. If they produce subterms, like the 
following inference rule due to Coppersmith [17], the main theorem still stands 
tall since unification in the STD theory will still be well-typed (recall the steps 
of STD theory unification in the proof of Theorem 1 that handles the case of 
m «std t - they consider m and t being subterms of the semi-bundle): 

{ [a, x, b]~j^, [c, x, d]^, a, b, c, d } h x, where a ^ c V b ^ d. 

Clearly, since this inference produces a subterm ('a;'), the main result stands 
tall in its presence and no type-flaw attacks can be possible if the protocol obeys 
NUT. 

Some others produce non-subterms such as the Prefix property and homo- 
morphic encryption discussed in [8] . Let us examine if and how prudent tagging 
could be adopted to prevent type-flaw attacks under these properties: 

Prefix property. The Prefix property is obeyed by block ciphering techniques 
such as CBC and ECB. This property leads the attacker to infer [m]£* (a non- 
subterm) from [m, n]"^ thereby invalidating Theorem 1. 
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Consider the Woo and Lam tti protocol modified by inserting component 
numbers inside each encrypted component 4 : 

Msg 1. a ->■ b : a 

Msg 2. b — > a : n b 

Msg 3. a -> b : [a, b, n b , l\2( a ,s) 

Msg 4.b^s:[a,b, [a,b,n b ,i]? h ( a , s y 2 ]th(b,s) 

Msg 5. s -> b : [a,b,n b ,3]2,( b , s ) 

sh(x, y) represents a shared-key between agents x and y. We presented a type- 
flaw attack on this protocol in [18] even when it uses component numbering if 
the Prefix property is exploited, and if pairing is associative: 

Msg 1. a — > b : a 
Msg 2. b a : n b 

Msg 3. I{a) -> b : [n b , 3] /* In place of [a, b, n b , l] sh{a . s) */ 
Msg 4. 6 ->!(*) : [a, 6, [n b ,3],2]« M) 

Msg 5. /(.s) — > : [a, 6, n^, 3]^, 6 g % /* using Prefix property on Msg 4. */ 

This attack works because, an attacker can infer [a, b, n b , 3]^ & g \ from Msg 4 
([a, 6, [rib, 3], 2]^ b s s) exploiting the Prefix property and associativity of pairing. 

This attack can be easily prevented by adopting type-tagging since it elim- 
inates associativity of pairing as explained previously. It can also be prevented 
by simply inserting component numbers at the beginning of encryptions, instead 
of at the end. 

Homomorphism of Encryptions. With this property, it would be possible 
to infer the non-subtcrms [m]k, and [n]k from [m,n]k- Obviously, this is stronger 
than the Prefix property. 

The "pair" tag assumed to contain within parentheses cannot void this infer- 
ence. For instance, a term [[typei, ti], [type2, £2]]*: can still yield the non-subterms 
[typei,£i]fc, and [type2, t-2\k- Even with component numbering, a term such as 
[1, [£i,£2]]fc can be broken down into [l]fc, and [£i,£2]fc- 

With a range of such non-subterm encryptions to infer, it can be easily seen 
that neither component numbers, nor type-tags, no matter how they are placed, 
can prevent the attack on the Woo and Lam protocol above under this inference. 

In particular, if the plaintext block length equals the length of a nonce or 
agent, then the attacker can infer [a] s h(b,s)i [b] s h(b,s)i l n b] s h(b.s) easily from Msg 4 
under any tagging. He can then replay Msg 5 by stitching these together. 

However, this inference is only possible under an extremely weak system such 
as ECB, so a realistic threat in real- world situations is unlikely 

4 Heather et al. [1] do not specify the exact position where component numbers need 
to be inserted, although they inserted numbers at the beginning of encryptions in 
their examples. 
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5 Conclusion 

In this paper, we provided a proof that adopting type-tagging for message fields 
in a protocol prevents type-flaw attacks under the AC UN properties induced by 
the most popular Exclusivc-OR operator. We also extrapolated those results to 
many other interesting and commonly encountered theories. 

We did not find a single property under which component numbering pre- 
vents type-flaw attacks that type-tagging cannot, although we presented several 
examples where the opposite could be true. However, we advocate the use of 
component numbering in addition to type-tagging, since they prevent the replay 
of different terms with the same type as well. 

The most significant advantage of being able to prevent type-flaw attacks is 
that analysis could be restricted to well-typed runs only. This has been shown 
to be a decidable problem in the standard, free theory but not for monoidal 
theories. We are currently in this pursuit 5 . 
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